I was checking into using Caddy for new projects instead of NGINX or Apache HTTP...

uriah · 2025-02-17T01:29:22 1739755762

With nginx I'm assuming you would use something like Vouch or oauth2-proxy? Something like the architecture described here:

https://github.com/vouch/vouch-proxy?tab=readme-ov-file#what...

Can't speak for caddy-security, but the forward_auth feature is the caddy equivalent to nginx's auth_request

mdaniel · 2025-02-17T18:44:22 1739817862

Just watch out when using oauth2-proxy because its default session storage using cookies can easily blow out the header size of nginx leading to the dreaded 400 header too large

One fix is moving session storage to redis <https://oauth2-proxy.github.io/oauth2-proxy/configuration/se...> and the other (if you have control over the nginx config) is bumping its allowed header size "large_client_header_buffers 4 128k;" <https://nginx.org/en/docs/http/ngx_http_core_module.html#lar...>

If you're using nginx as an ingress controller, the annotations support it: <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-...> and/or auth-snippet <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-...>

justin_oaks · 2025-02-18T00:49:51 1739839791

Thanks for the heads-up.

I'm curious at what would be stored in the session to make it large enough to be a problem, but it's good to know to watch out for it.

mdaniel · 2025-02-18T03:10:05 1739848205

I believe it's almost always the "groups" claim <https://github.com/oauth2-proxy/oauth2-proxy/issues?q=cookie...> but I would suspect any sufficiently large set of claims would do it (e.g. a huge "iss", erroneously returning the user profile jpeg attribute, who knows)

justin_oaks · 2025-02-17T03:49:59 1739764199

Thanks. I've used oauth2-proxy with NGINX. So I could try to set up oauth2-proxy with Caddy in a similar way.